Buffer Overflow Vulnerability in GRUB's UDF Filesystem Module by Red Hat
CVE-2025-0689

7.8HIGH

Key Information:

Vendor: Gnu
Status: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8
Vendor: CVE Published:; 3 March 2025

What is CVE-2025-0689?

The GRUB UDF filesystem module contains a vulnerability that allows a crafted filesystem image to exploit the way it allocates internal buffers based on user-controlled data length metadata. During the reading of data from disk, the module incorrectly assumes that the read size from the disk will always be smaller than the allocated buffer size. This oversight can lead to a heap-based buffer overflow, resulting in potential data corruption and enabling the execution of arbitrary code, potentially bypassing secure boot mechanisms.

References

https://access.redhat.com/security/cve/CVE-2025-0689

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2346122

issue-trackingx_refsource_REDHAT

https://lists.gnu.org/archive/html/grub-devel/2025-02/msg...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 3, 2025
Vulnerability Reserved
Jan 23, 2025

Gnu

What is CVE-2025-0689?

References

CVSS V3.1

Timeline